b"                                      National Science Foundation\n                                          4201 Wilson Boulevard\n                                         Arlington, Virginia 22230\n\n\nOffice of Inspector General\n\n\n\n\nMEMORANDUM\n\nDATE:           July 9, 2009\n\nTO:               Mary F. Santonastasso, Director\n                  Division of Institution and Award Support\n\n                  Karen Tiplady, Director\n                  Division of Grants and Agreements\n\nTHRU:              Deborah H. Cureton, /s/\n                   Associate Inspector General for Audit\n                   Office of Inspector General\n\nFROM:              Laura Ann Koren, Audit Oversight Manager /s/\n                   Office of Inspector General\n\nSUBJECT: NSF OIG Audit Report No. 09-1-010,\n         Agreed Upon Procedures Internal Control Review of\n         Carnegie Institution of Washington\n\nThe Office of Inspector General (OIG) engaged Cotton & Company LLP to perform an agreed\nupon procedures Internal Control Review of Carnegie Institution of Washington (CIW). The\nOIG initiated this agreed upon procedures review because four former CIW employees were\nprosecuted and convicted of embezzling over $532,222 from 2000 to 2006 while employed at\nCIW. Approximately $200,000 of this amount was embezzled from NSF awards. xxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\nThe objectives of the agreed upon procedures were to:\n\n           \xe2\x80\xa2    Determine whether CIW\xe2\x80\x99s internal control systems are adequate to properly\n                accumulate, track, and monitor its costs and billings under NSF grants in compliance\n                with NSF and Federal requirements; and,\n\n           \xe2\x80\xa2    Determine whether CIW\xe2\x80\x99s corrective action plan to improve its internal controls,\n                initiated by CIW after the second embezzlement, was implemented and operating\n                effectively.\n\nCotton & Company performed fieldwork on this engagement, for the most part, from June\nthrough September 2007 and sampled CIW transactions posted to CIW\xe2\x80\x99s NSF grants from the\n\x0c                                                       NSF OIG Audit Report No. OIG-09-1-XXX\n\n\nperiod January 2004 through March 2007. CIW is a consistent recipient of NSF grant funds and\ncurrently has 47 NSF grants totaling approximately $31 million. Therefore, it is important that\nCIW maintain adequate financial and administrative internal controls to prevent embezzlements\nfrom recurring in the future.\n\nThis agreed upon procedures engagement was conducted in accordance with Attestation\nStandards established by the American Institute of Certified Public Accountants and the\nstandards applicable to attestation engagements contained in Government Auditing Standards\nissued by the Comptroller General of the United States. Cotton & Company\xe2\x80\x99s agreed upon\nprocedures report on the Internal Control Review of the Carnegie Institution of Washington is\nincluded as an attachment to this memorandum.\n\nSummary Results of the Internal Control Review\n\nOverall, Cotton & Company found that CIW has not fully developed and implemented adequate\nfinancial and administrative policies and procedures for the entire organization. Without internal\ncontrol over financial and business management, CIW continues to have internal control\nweaknesses that could result in recurring embezzlements and that continue to affect CIW\xe2\x80\x99s\nmanagement of NSF grant funds.\n\nThe auditors noted continuing internal control deficiencies even though CIW had hired its\nexternal auditors, KPMG LLP, after its second embezzlement in 2004 to review processes and\ninternal controls to help strengthen CIW\xe2\x80\x99s financial management. CIW developed a corrective\naction plan in response to KPMG\xe2\x80\x99s internal control report that did not address or fully address all\nof KPMG\xe2\x80\x99s recommendations. Further, CIW developed institution-wide federal grant financial\nand administrative policies and procedures but these policies and procedures did not provide\nadequate or sufficient guidance in areas such as journal entries, safeguarding of blank checks,\nand segregation of duties in procurement and disbursement processes. Moreover, none of the\nseven CIW departments adequately implemented these policies and procedures.\n\nThe auditors also found that grant monitoring practices were inadequate at four of the seven CIW\ndepartments; CIW did not have standardized, institution-wide, written journal entry procedures\nfor departments to follow; six of the seven CIW Departments had inadequate segregation of\nduties or inadequate controls over the disbursement process; six of the seven CIW departments\ndid not adhere to CIW\xe2\x80\x99s institution-wide labor effort reporting procedures; and, CIW\xe2\x80\x99s\ninstitution wide purchase-order procedures were inadequate because they did not define the\ndollar threshold for when those procedures should be utilized. In addition, two of the seven CIW\ndepartments did not use purchase orders as part of their procurement process.\n\nAdditionally, other internal control weaknesses came to the attention of the auditors including\nthe lack of segregation of cash receipt duties and the lack of adherence to procedures for cash\nreceipt processing at OCIW; inadequate inventory control at GEO and the Department of Plant\nBiology (PBIO); and lack of adherence to CIW and federal travel policies at the Department of\nTerrestrial Magnetism (DTM) and OCIW.\n\n\n\n\n                                                 2\n\x0c                                                       NSF OIG Audit Report No. OIG-09-1-XXX\n\n\nThe auditors made a number of recommendations to address these internal control weaknesses\nincluding recommendations that NSF ensure that CIW\xe2\x80\x99s Board of Trustees fully implement\nrecommendations in CIW\xe2\x80\x99s 2004 KPMG internal control report and provide ongoing monitoring\nto verify that corrective actions are taken; fully develop and implement adequate financial and\nadministrative policies and procedures for the entire organization; periodically evaluate business\npractices at departments to ensure adequate implementation of CIW\xe2\x80\x99s policies and procedures;\ndevelop and implement a policy requiring all CIW department directors to monitor the financial\nand administrative federal grant processes at their respective departments; hire or delegate an\nindividual at P Street to serve as a business manager to approve and administer federal grant\nfinancial and administrative affairs of the P Street principal investigators (PI)s; implement\npolicies and procedures over journal entries for all CIW Departments; develop and implement\ninstitution-wide policies and procedures that require all CIW departments to segregate\ndisbursement functions adequately and require appropriate levels of approval and certification of\npayments; ensure that institution-wide labor-effort reporting procedures are adequately\nimplemented and adhered to by all CIW departments; develop and implement procedures that\nrequire all personnel to notify supervisors when leave is requested and taken and require labor-\neffort reports to accurately reflect such leave; and establish institution-wide written procedures\nrequiring use of purchase orders for the authorization and budgeting of all CIW department\npurchases to include dollar thresholds and specific guidelines for purchase-order use.\n\nThe auditors also recommended that NSF ensure that OCIW properly segregate duties related to\ncash receipts, make deposits in accordance with its own written procedures, and eliminate its\nseparate bank account for incoming checks; require GEO and PBIO to properly identify federal\nassets and establish a procedure that ensures that all departments conduct annual asset\ninventories; and formulate and implement a monitoring process that will ensure that all\ndepartments comply with the Office of Management and Budget (OMB) and CIW travel\nregulations regarding meal and lodging costs.\n\nIn its response, CIW noted that since completion of the auditor\xe2\x80\x99s fieldwork, which took place for\nthe most part from June through September 2007, CIW indicated that it has made improvements\nto its policies, procedures and financial software, including installing a new accounting and\nadministrative system. Accordingly, CIW believes the report does not reflect the current state of\nits internal controls. CIW\xe2\x80\x99s response details improvements to its policies and procedures that it\nstates that it has already made or will be made. We recognize that CIW was in the process of\nrevising its policies, procedures, and controls both during and subsequent to the auditor\xe2\x80\x99s\nfieldwork. The majority of those improvements are proposed and therefore reflective of CIW\xe2\x80\x99s\ncurrent state of internal controls.\n\nWe consider the issues in this report to be significant. Accordingly, we request that your office\nwork with CIW to develop a written Corrective Action Plan detailing specific actions taken\nand/or planned to address each report recommendation. Milestone dates should be provided for\ncorrective actions not yet completed.\n\nIn accordance with OMB Circular A-50, please coordinate with our office during the 6-month\nresolution period to develop a mutually agreeable resolution of the report findings. Also, the\n\n\n\n                                                3\n\x0c                                                     NSF OIG Audit Report No. OIG-09-1-XXX\n\n\nreport findings should not be closed until NSF verifies that all the recommendations have been\nadequately addressed and the proposed corrective actions have been satisfactorily implemented.\n\nOIG Oversight of Attestation Engagement\n\nTo fulfill our responsibilities under Generally Accepted Government Auditing Standards, the\nOffice of Inspector General:\n\n   \xe2\x80\xa2   Reviewed Cotton & Company\xe2\x80\x99s approach and planning of the agreed upon procedures\n       engagement;\n   \xe2\x80\xa2   Evaluated the qualifications and independence of the auditors;\n   \xe2\x80\xa2   Monitored the progress of the engagement at key points;\n   \xe2\x80\xa2   Coordinated periodic meetings with Cotton & Company and OIG management to discuss\n       engagement progress, findings and recommendations;\n   \xe2\x80\xa2   Reviewed the engagement report prepared by Cotton & Company to ensure compliance\n       with Generally Accepted Government Auditing Standards and American Institute of\n       Certified Public Accountants standards as they relate to attestation engagements and\n       Office of Management and Budget Circulars; and,\n   \xe2\x80\xa2   Coordinated issuance of the Internal Control Review report.\n\nCotton & Company is responsible for the attached report on Carnegie Institution of Washington\nand its internal controls and the conclusions expressed in that report. The NSF OIG does not\nexpress any opinion on the Carnegie Institution of Washington\xe2\x80\x99s internal controls, or the\nconclusions presented in the Cotton & Company report.\n\nWe thank you and your staff for the assistance extended to us during the audits. If you have any\nquestions about the report, please contact me at (703) 292-8456.\n\nAttachment: Internal Control Review Report of Carnegie Institution of Washington\n\n\n\n\n                                               4\n\x0cCARNEGIE INSTITUTION OF WASHINGTON\n    INTERNAL CONTROL REVIEW\n\n\n\n\n   NATIONAL SCIENCE FOUNDATION\n   OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                             Cotton & Company LLP\n                             635 Slaters Lane, 4th Floor\n                             Alexandria, Virginia 22314\n\x0cThis page intentionally left blank\n\x0c                                      EXECUTIVE SUMMARY\n\n\nBACKGROUND\n\nThe National Science Foundation (NSF), Office of Inspector General (OIG), engaged Cotton &\nCompany LLP to perform agreed upon procedures to assist the NSF OIG in determining if\nCarnegie Institution of Washington\xe2\x80\x99s (CIW) internal control systems are adequate to properly\naccumulate, track, and monitor its costs and billings under NSF grants in compliance with NSF\nand federal requirements. The objective was also to determine if CIW\xe2\x80\x99s corrective action plan\nwas implemented and is operating effectively.\n\nThe NSF OIG initiated this agreed-upon-procedures review, because four former CIW\nemployees were prosecuted and convicted of embezzling over $532,222 from 1994 to 2006\nwhile employed at CIW. Approximately $200,000 of this amount was embezzled from NSF\nawards. Employees were from the Carnegie Headquarters Department (P Street), Carnegie\nObservatories (OCIW), and Carnegie Geophysical Laboratory (GEO).\n\nIn response to the first two of three instances of embezzlement, CIW hired its external auditors,\nKPMG, to review processes and internal controls and provide recommendations to help CIW\nstrengthen its financial management. Specifically, KPMG found that CIW lacked adequate\nprocesses and procedures for safekeeping of its assets; lacked adequate policies and procedures\nfor accounting and financial management at the Departments; lacked adequate segregation of\nduties at the department level; lacked supervisory oversight and monitoring of the departments\xe2\x80\x99\ninternal controls and processes; lacked adequate effort reporting process; lacked a standardized\nprocurement process throughout the institution; and, lacked a standardized backup process for\ndepartments\xe2\x80\x99 accounting records and operational data.\n\nIn its 2004 Internal Control Review, KPMG recommended that CIW implement processes and\nprocedures for safekeeping of its assets, including requiring the departments to conduct annual\nasset inventories; provide departments with policies and procedures for accounting and financial\nmanagement; increase supervisory checks and balances to compensate for the lack of segregation\nof duties at departments; revise the organizational structure to either include a Chief Financial\nOfficer position or to enhance the responsibilities and authority of the Director of Administration\nand Finance; automate the effort reporting process by allowing employees to enter their\npercentage of effort directly into the system that tracks efforts; streamline the purchasing process\nand use an automated procurement system; create a Chief Information Officer position and\nverify that each department is adequately backing up their accounting data and operational data.\n\nIn response to KPMG\xe2\x80\x99s recommendations, CIW formulated a corrective action plan that\nindicated, among other things, that it would develop institution-wide policies and procedures that\nmay be tailored to each Department\xe2\x80\x99s circumstances; implement an automated procurement\nsystem; review and enhance its effort reporting process; review and enhance the financial\nreporting processes throughout the Institution; and, appoint a new Chief Information Officer and\ndevelop institution-wide procedure for backing up data. CIW\xe2\x80\x99s Corrective Action Plan did not\naddress the KPMG recommendation of creating the Chief Financial Officer position or\nenhancing the responsibilities and authorities of the Director of Administration and Finance.\n\n\n                                                 i\n\x0cCIW\xe2\x80\x99s President did, however, enhance responsibilities and authority of the Director of\nAdministration and Finance over CIW department business managers in March 2007.\n\nOBJECTIVES\n\nThe objectives of this engagement were to perform agreed-upon procedures to assist the NSF\nOIG in determining whether CIW\xe2\x80\x99s internal control systems are adequate to properly\naccumulate, track, and monitor its costs and billings under NSF grants in compliance with NSF\nand federal requirements. In addition, the objective was also to determine whether CIW\xe2\x80\x99s\ncorrective action plan was implemented and is operating effectively. We performed fieldwork on\nthis engagement, for the most part, from June through September 2007. Our work included\nsampling CIW transactions posted to its NSF grants from the period January 2004 through\nMarch 2007. During the period of our review and thereafter, CIW continued to modify and\nrevise policies and procedures to strengthen its internal controls.\n\nRESULTS AND RECOMMENDATIONS\n\nCIW has not fully developed and/or implemented adequate financial and administrative policies\nand procedures for the entire organization. Without internal control over financial and business\nmanagement, CIW continues to have internal control weaknesses that could result in recurring\nembezzlements and that continue to affect CIW\xe2\x80\x99s management of NSF grant funds. Results of\nour agreed-upon procedures are detailed in Appendix A.\n\nCARNEGIE INSTITUTION OF WASHINGTON RESPONSE\n\nWe conducted an exit conference with CIW on April 22, 2009. We presented CIW with a draft\nreport, to which they responded in writing on June 1, 2009. We have included CIW\xe2\x80\x99s response in\nsummary after each recommendation under the caption Management Comments and in its\nentirety in Appendix C to this report.\n\nIn its response, CIW noted that since completion of our fieldwork, which took place for the most\npart from June through September 2007, CIW indicated that it has made improvements to its\npolicies, procedures and financial software, including installing a new accounting and\nadministrative system. Accordingly, it believes the report does not reflect the current state of its\ninternal controls. CIW\xe2\x80\x99s response details improvements to its policies and procedures that it\nstates it has already made or will be made. We recognize that CIW was in the process of revising\nits policies, procedures, and controls both during and subsequent to our fieldwork. The majority\nof those improvements are proposed and therefore the report is reflective of CIW\xe2\x80\x99s current state\nof internal controls. Those corrective actions, as described in CIW\xe2\x80\x99s comments, are responsive to\nour recommendations if properly implemented. We do, however, recommend that NSF confirms\nas part of the audit resolution process that proposed and revised policies and procedures have\nbeen adequately implemented.\n\n\n\n\n                                                 ii\n\x0c                                      CONTENTS\n\n\nSECTION                                                              PAGE\nExecutive Summary                                                      i\nIntroduction                                                           1\n    Background                                                         1\n    Objectives, Scope, and Methodology                                 2\nIndependent Accountant\xe2\x80\x99s Report on Applying Agreed-Upon Procedures     4\n\nAppendixes\nA    Results of Agreed-Upon Procedures and Recommendations           A-1\nB    Agreed-Upon Procedures                                          B-1\nC    Response from The Carnegie Institution of Washington\n\n\n\n\n                                           i\n\x0c                                        INTRODUCTION\n\n\nBACKGROUND\n\nThe National Science Foundation (NSF), Office of Inspector General (OIG), engaged Cotton &\nCompany LLP to perform agreed-upon procedures to assist the NSF OIG in determining if\nCarnegie Institution of Washington\xe2\x80\x99s (CIW) internal control systems were adequate to properly\naccumulate, track, and monitor its costs and billings under NSF grants in compliance with NSF\nand federal requirements. The objective was also to determine if CIW\xe2\x80\x99s corrective action plan\nwas implemented and operating effectively.\n\nInformation about Carnegie Institution of Washington\n\nCarnegie Institution of Washington (CIW) was founded in 1902 as a not-for-profit organization\nfor scientific discovery. It has seven departments, which include the administrative headquarters\ndepartment, referred to as P Street, located in Washington, DC. All departments, listed below,\nhave independent scientific pursuits and employ principal investigators (PIs). CIW is a consistent\nrecipient of NSF grant funds and currently has 47 NSF grants totaling approximately $31\nmillion.\n\nDepartment                                  Location\nHeadquarters Department (P Street)          Washington, DC\nDepartment of Terrestrial Magnetism (DTM)   Washington, DC (shared with GEO)\nGeophysical Lab (GEO)                       Washington, DC (shared with DTM)\nDepartment of Embryology (EMB)              Johns Hopkins University Campus, Baltimore\nObservatories (OCIW)                        Pasadena, California\nDepartment of Plant Biology (PBIO)          Stanford University, Palo Alto, California (shared with DGE)\nDepartment of Global Ecology (DGE)          Stanford University, Palo Alto, California (shared with PBIO)\n\nWith the exception of P Street, each department has a business office headed by a business\nmanager or fiscal officer to handle financial and administrative matters generated from PI grant\nactivity. PBIO and DGE share a business office on the Stanford University campus, and one\nbusiness manager serves both departments. P Street does not have a business manager or fiscal\nofficer to oversee PI grant activities. However, in March 2007, CIW\xe2\x80\x99s President did enhance the\nresponsibilities and authority of the Director of Administration and Finance over departmental\nbusiness managers.\n\nThree Instances of Embezzlement\n\nFour former CIW employees (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) were prosecuted\nand convicted of embezzling over $532,222 from 1994 to 2006 while employed at CIW.\nApproximately $200,000 of this amount was embezzled from NSF awards.\n\nIn the first instance of embezzlement, a former xxxxxxxxxxxx embezzled more than $200,000\nfrom federal award funds between 1994 and 1999. The Co-PI\xe2\x80\x99s scheme included paying his\nspouse over $83,000 in salary for false time-and-effort reports that he forged; converting\nproperty purchased with award funds to xxx personal use; and fabricating invoices and receipts\nfor purchases to make them appear award-related when, in fact, they were items purchased for\n                                                1\n\x0chis family and home. Because CIW did not have adequate controls in place to verify, validate, or\nmonitor the xxxxxx purchases or labor effort charged to NSF grants, these illegal activities\ncontinued undetected for 5 years. The xxxxxx ultimately pled guilty in federal district court to\none felony count of embezzling funds from a program receiving federal funds. This resulted in a\nsentence of 12-months incarceration and restitution in the amount of $202,000.\n\nIn the second instance of embezzlement, a former xxxxxxxxxxxxxxxxxxx xxxxxx xxxxxxx pled\nguilty in state court to 6 felony counts of grand theft and 12 felony counts of forgery involving a\nscheme by which she forged checks to fabricated vendors between 2001 and 2004, totaling\n$132,222 in stolen funds. Once again, Carnegie did not have adequate controls in place to detect\nor prevent multiple payments to fabricated vendors, which resulted in the embezzlement scheme\ngoing undetected for 3 years. This embezzlement resulted in a sentence of 361 days of\nincarceration, 5 years of probation, and restitution in the amount of $238,240, which included the\ntotal amount stolen plus investigative and audit costs incurred by CIW for this matter.\n\nMost recently, one former xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx\nxxxxxx xxxxxx pled guilty in federal district court for engaging in a long-term scheme between\n2002 and 2006 to use their corporate credit cards for unauthorized personal expenditures\nexceeding $200,000 in stolen funds. The two xxxxxx xxxxxx xxxxxx involved in the scheme\nworked within the same business office and served as the exclusive approving official for each\nother\xe2\x80\x99s illegal purchasing activity. Again, CIW lacked adequate internal controls to prevent or\ndetect aberrant approvals and authorizations within its organization. These episodes of\nembezzlement resulted in a sentence of incarceration, probation, and restitution for the xxxxxx\nxxxxxx xx, who held the more senior position, and a sentence of probation and restitution for the\nformer accounts payable manager.\n\nCIW Response to Embezzlements\n\nIn response to the first two instances of embezzlement, CIW hired KPMG, its external auditors,\nin 2004 to review processes and internal controls and provide recommendations to help CIW\nstrengthen its financial management. KPMG identified control weaknesses over accounting and\nfinancial management that affected CIW\xe2\x80\x99s ability to provide adequate oversight of NSF grants\nand grant funds and made specific recommendations. In response, CIW developed a Corrective\nAction Plan. The CIW plan did not, however, specifically address the KPMG recommendation to\ncreate the Chief Financial Officer position or enhance responsibilities and authorities of the\nDirector of Administration and Finance. However, in March 2007, CIW\xe2\x80\x99s President did enhance\nthe responsibilities and authority of the Director of Administration and Finance over the business\nmanagers in the departments. CIW also did not fully address all KPMG report recommendations\nor implement the plan components it did develop.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nOur objectives were to perform agreed-upon procedures to assist the NSF OIG in determining if\nCIW\xe2\x80\x99s internal control systems were adequate to properly accumulate, track, and monitor its\ncosts and billings under NSF grants in compliance with NSF and federal requirements. The\nobjective was also to determine if CIW\xe2\x80\x99s corrective action plan was implemented and operating\neffectively. We performed fieldwork on this engagement, for the most part, from June through\nSeptember 2007 and sampled CIW transactions posted to its NSF grants that occurred over the\n                                                 2\n\x0cperiod January 2004 through March 2007. During the period of our review and thereafter, CIW\ncontinued to modify and revise policies and procedures to strengthen its internal controls.\n\nTo achieve these objectives, we obtained and reviewed background information and\ndocumentation from NSF, KPMG, and CIW that included financial statement and OMB Circular\nA-133 audit reports and corresponding work papers, including cycle memorandums and other\nrelevant audit work papers; grant documents, including grant budgets, proposals, and other\naward documents; internal control review reports; CIW policies and procedures manuals, both at\nthe institution and departmental levels, where existing; and NSF grant correspondence.\n\nWe then obtained, reviewed, and gained an understanding of the 2004 KPMG internal control\nreview report and CIW\xe2\x80\x99s Corrective Action Plan formulated in response to report\nrecommendations. We determined which of items within these two documents affected NSF\naward funds.\n\nWe then focused the scope of our work on the internal control review recommendations and\nCorrective Action Plan items that impacted NSF award funds to determine if CIW addressed\nrecommendations made by KPMG in its Corrective Action Plan and if internal control corrective\naction plan items were implemented and operating as intended.\n\nWe next identified all NSF grant awards active at CIW from 2004 to 2006 and selected samples\nof grants and various internal control accounting cycle items from at least one grant at each CIW\ndepartment. For sampled transactions at each location, we obtained and reviewed all supporting\ndocumentation, tested internal control attributes, and documented if internal control policies and\nprocedures were followed. We also interviewed CIW representatives in each department to\ndetermine their understanding of their responsibilities with regard to federal and NSF funds and\ndetermined if the CIW Corrective Action Plan was implemented and operating effectively within\nthat department.\n\nThis agreed-upon procedures engagement was performed in accordance with standards\nestablished by the American Institute of Certified Public Accountants and generally accepted\ngovernment auditing standards. The sufficiency of these procedures is solely the responsibility of\nthe OIG. We were not engaged to and did not perform an examination, the objective of which\nwould be expression of an opinion on the subject matter. Accordingly, we do not express such an\nopinion. Had we performed other procedures, other matters might have come to our attention that\nwould have been reported to you.\n\nResults of our procedures are detailed in Appendix A.\n\n\n\n\n                                                3\n\x0cNational Science Foundation\nOffice of Inspector General\n4201 Wilson Boulevard\nArlington, Virginia 22230\n\n\n                    INDEPENDENT ACCOUNTANT\xe2\x80\x99S REPORT ON APPLYING\n                              AGREED-UPON PROCEDURES\n\n\nCotton & Company LLP performed the procedures described in Appendix B, which were agreed\nto by the NSF OIG solely to assist the OIG in evaluating internal controls at CIW. This agreed-\nupon-procedures engagement was performed in accordance with standards established by the\nAmerican Institute of Certified Public Accountants and generally accepted government auditing\nstandards. The sufficiency of these procedures is solely the responsibility of the OIG.\nConsequently, we make no representation regarding the sufficiency of the procedures described\nbelow, either for the purpose for which this report has been requested or any other purpose.\n\nWe have summarized results of our agreed-upon procedures in Appendix A. We were not\nengaged to and did not perform an examination, the objective of which would be expression of\nan opinion on the subject matter. Accordingly, we do not express such an opinion. Had we\nperformed other procedures, other matters might have come to our attention that would have\nbeen reported to you.\n\nThis report is intended solely for the information and use of the NSF OIG, NSF, and CIW and is\nnot intended to be and should not be used by anyone other than these specified parties.\n\n\nCOTTON & COMPANY LLP\n\n/s/\n\nxxxxxx xxxxxx xxxxxx xxxxxx\nxxxxxx xxxxxx xxxxxx xxxxxx\nMay 15, 2009\n\n\n\n\n                                               4\n\x0c                      APPENDIX A\nRESULTS OF AGREED-UPON PROCEDURES AND RECOMMENDATIONS\n\x0c                               APPENDIX A\n         RESULTS OF AGREED-UPON PROCEDURES AND RECOMMENDATIONS\n\n\nFinding No. 1: Corrective Action Plan Not Fully Implemented\n\nIn response to the first two instances of embezzlement, CIW hired its external auditors, KPMG,\nin 2004 to review processes and internal controls and provide recommendations to help CIW\nstrengthen its financial management. The KPMG report noted a number of instances of\ninadequate processes and controls. Some of these are particularly relevant to NSF grant awards;\nKPMG found that CIW lacked adequate:\n\n   \xe2\x80\xa2   Processes and procedures for safekeeping of its assets.\n   \xe2\x80\xa2   Policies and procedures for departmental accounting and financial management.\n   \xe2\x80\xa2   Departmental segregation of duties.\n   \xe2\x80\xa2   Departmental supervisory oversight and monitoring.\n   \xe2\x80\xa2   Time-and-effort reporting systems for federal grants.\n   \xe2\x80\xa2   Procurement processes throughout the organization.\n   \xe2\x80\xa2   Standardization over backup process for departmental accounting records and\n       operational data.\n\nKPMG recommended in its report that CIW:\n\n   \xe2\x80\xa2   Implement processes and procedures for safekeeping of its assets, including\n       requiring departments to conduct annual asset inventories.\n\n   \xe2\x80\xa2   Provide departments with policies and procedures for accounting and financial\n       management.\n\n   \xe2\x80\xa2   Increase supervisory checks and balances to compensate for the lack of\n       departmental segregation of duties.\n\n   \xe2\x80\xa2   Revise the organizational structure to either include a Chief Financial Officer\n       position or enhance responsibilities and authority of the Director of\n       Administration and Finance.\n\n   \xe2\x80\xa2   Automate the effort-reporting process by allowing employees to enter their\n       percentage of effort directly into the system that tracks efforts.\n\n   \xe2\x80\xa2   Streamline the purchasing process and use an automated procurement system.\n\n   \xe2\x80\xa2   Create a Chief Information Officer position and verify that each department is\n       adequately backing up its accounting /and operational data.\n\nIn response to KPMG\xe2\x80\x99s recommendations, CIW formulated a Corrective Action Plan that\nindicated, among other things, that it would:\n\n\n                                           A-1\n\x0c   \xe2\x80\xa2   Develop institution-wide policies and procedures that may be tailored to each\n       department\xe2\x80\x99s circumstances.\n\n   \xe2\x80\xa2   Implement an automated procurement system.\n\n   \xe2\x80\xa2   Review and enhance its effort-reporting process.\n\n   \xe2\x80\xa2   Review and enhance financial reporting processes throughout the institution.\n\n   \xe2\x80\xa2   Appoint a new Chief Information Officer and develop institution-wide procedure\n       for backing up data.\n\nCIW\xe2\x80\x99s Corrective Action Plan did not, however, address or fully address all the\nrecommendations in the KPMG report.\n\nCIW\xe2\x80\x99s Board of Trustees also conducted its own review and issued its Report of the Review\nCommittee for Administration in November 2006. This report was a summary of CIW\xe2\x80\x99s attempt\nto address its changing administrative and financial systems climate, which the report described\nas \xe2\x80\x9cstrained.\xe2\x80\x9d The report also referenced the CIW structure and noted that it \xe2\x80\x9chas led to both\ninefficiencies and at times ambiguous authority over financial reporting activities.\xe2\x80\x9d\n\nFurther, while the report stated that, in general, department directors and business managers\nfavored the current reporting relationship, a minority view saw benefits for a department\nbusiness manager having \xe2\x80\x9ca dotted line relationship with the Director of Administration and\nFinance (at P Street).\xe2\x80\x9d In addition, the report quoted strong sentiment on the matter of\nestablishing an internal audit function as a mechanism for preventing thefts and strengthening\noperations.\n\nWhile the report concluded that the decentralized structure would continue to be the appropriate\norganization form for CIW, it also concluded that \xe2\x80\x9cuntil there is a common understanding that\n[CIW] needs standardized, coordinated and timely procedures, it will not solve the problems\nidentified.\xe2\x80\x9d Finally, the report recommended that business managers have two reporting\nrelationships, to the department director at each CIW location and to the Director of\nAdministration and Finance, and that CIW should seek to strengthen internal controls.\n\nThis situation occurred because CIW executive management has historically considered\ndepartments to be separate entities with separate scientific missions. When the CIW Board of\nTrustees conducted its own review in 2006, it noted that \xe2\x80\x9cdepartment directors and business\nmanagers favored the current reporting relationships where business managers report to\ndepartments.\xe2\x80\x9d\n\nAlthough CIW\xe2\x80\x99s corrective action plan did not address the KPMG recommendation to add a\nCFO or expand responsibilities of the Director of Administration, CIW\xe2\x80\x99s President did enhance\nresponsibilities and authority of the Director of Administration and Finance over the business\nmanagers in the departments in March 2007.\n\n\n\n                                           A-2\n\x0cRecommendation No. 1\n\nWe recommend that NSF\xe2\x80\x99s Director of the Division of Grants and Agreements direct CIW\xe2\x80\x99s\nBoard of Trustees to fully implement recommendations in the KPMG October 2004 report and\nprovide ongoing monitoring to verify the corrective actions are taken.\n\nManagement\xe2\x80\x99s Comments\n\nIn its response to the draft audit report (Appendix C), CIW stated that:\n\n       We have implemented all the major recommendations in the KPMG report.\n       Nonetheless, we agree that there are some further actions that should be\n       undertaken.\n\n       In October 2004, Carnegie engaged KPMG to review its internal controls.\n       KPMG made 17 separate recommendations, some with several components, and\n       ranked them as high, medium, or low priority in recognition of the fact that not all\n       items could be addressed simultaneously. Carnegie\xe2\x80\x99s action plan to address this\n       report grouped the recommendations into five activity areas. The goal of the\n       action plan was to remedy the findings of control deficiencies, whether through\n       implementation of the KPMG recommendation or through alternative steps that\n       Carnegie determined would achieve the intended goal. The action plan involved\n       several steps that were implemented relatively quickly, such as the appointment of\n       the Chief Information Officer, and other steps that required a longer period, such\n       as the replacing the computerized accounting system with a new financial system.\n\n       One particular issue highlighted in the draft report is the KPMG recommendation\n       related to organizational structure, as follows:\n\n               \xe2\x80\x9cRevise the organizational structure to either include a Chief Financial\n               Officer position in addition to the Director of Administration and Finance\n               or to enhance the responsibilities and authority of the Director of\n               Administration and Finance.\xe2\x80\x9d\n\n       In 2006, Carnegie assessed administrative operations, including organizational\n       structure and reporting responsibilities, through an Administration Review. The\n       review process was directed by the President and involved several members of the\n       Board of Trustees and various outside experts. Prior to and following that review,\n       the President enhanced the authority of the Director of Administration and\n       Finance. In a memorandum dated March 30, 2007, the President informed all\n       affected parties within the Institution that effective immediately:\n\n               \xe2\x80\x9c\xe2\x80\xa6..Business managers will respond to guidance from the Director of\n               Administration and Finance concerning institution wide matters. In\n               assessing the performance of business managers, department directors\n               will receive input from the Director of Administration and Finance\n               concerning performance on institution wide matters\xe2\x80\xa6.\xe2\x80\x9d\n                                            A-3\n\x0cPrior to that memo, the President had earlier directed that all hires in business\noffices in departments must be approved by the Director of Administration and\nFinance, and that all non-scientific hires in the Institution must undergo a\nbackground check, the results of which were to be reviewed at headquarters. The\nPresident, in the March 30, 2007 memorandum, further advised that he would\nperiodically review the revised reporting structure to assure its effectiveness. In\nshort, the President did take steps to enhance the responsibilities and the\nauthority of the Director of Administration and Finance, exactly as KPMG had\nrecommended.\n\nAs a general matter, the report suggests that Carnegie\xe2\x80\x99s departments are stand-\nalone entities that manage all aspects of their own financial operations. This is\nnot the case. To illustrate, billings for most grants and the recording of most\nrevenues for all departments are done at P Street. P Street reviews quarterly the\nreconciliation of key balance sheet accounts prepared by departments, and makes\nany required adjustments in coordination with departmental staff. Adjustments to\nsalaries are made only after review and approval by the President. Salaries and\neffort throughout the Institution are recorded in the general ledger by staff at P\nStreet, following a review to help assure checks and balances. Any corrections to\nthe posting of effort are done at P Street. The P Street office prepares a single set\nof financial statements for the Institution. Payroll and many human resource\nfunctions, such as the management of retirement contributions and health\nbenefits, are centralized. In short, CIW does not operate in a manner that\nconsiders all departments to be managing all aspects of their own financial\noperations in a decentralized fashion. Rather, we consider the combination of\nheadquarters staff and departmental business offices to be an integrated set of\nactivities that manage the financial operations of the Institution and its\ndepartments. Or course, the regular meetings of the Standing Working Group\nserve to reinforce the integrated nature of our business operations.\n\nWe conclude that the report fundamentally misstates the present relationship\nbetween the departments and headquarters, perhaps because the work underlying\nthe report was undertaken so long ago (2007). Nonetheless, to respond further to\nthis finding and recommendation, Carnegie will:\n\n       \xe2\x80\xa2   Revise policies and procedures to: strengthen the safeguarding of\n           assets; achieve greater standardization across departments; and\n           document and fully ensure the segregation of duties. These revisions\n           will be issued by October 1, 2009. Some of these steps relate to other\n           findings below.\n\n       \xe2\x80\xa2   Put in place a monitoring plan by August 1, 2009. A basic feature of\n           this plan will include the use of an external organization to provide an\n           internal audit function. We have already hired a firm for this purpose.\n           The firm will review departments on a three-year schedule, with the\n           result that at least two departments will be reviewed each year. In\n                                     A-4\n\x0c                   addition, as a separate activity, P Street will sample transactions\n                   across all departments in select areas each year; the monitoring plan\n                   will identify the specific areas to be reviewed by year. The\n                   transactions to be sampled will include travel, journal entries,\n                   purchase orders, cash receipts, and disbursements. All results of the\n                   external review and the internal sampling of transactions will be\n                   reported to the President and the Audit Committee of the Board of\n                   Trustees.\n\nCotton & Company\xe2\x80\x99s Response\n\nIn response to CIW\xe2\x80\x99s comments we did revise the report to state that although the corrective\naction plan did not address the KPMG recommendation to add a CFO, CIW\xe2\x80\x99s president did\nexpand responsibilities of the Director of Administration in March 2007. We also removed the\nstatement the CIW\xe2\x80\x99s departments operate independently and manage all aspects of their own\nfinancial operations.\n\nThe CIW\xe2\x80\x99s plan to revise its policies and procedures by October 1, 2009 to strengthen the\nsafeguarding of assets, to achieve greater standardization across departments, and to fully ensure\nthe segregation of duties; and, its statement that it will institute a monitoring plan by August 1,\n2009, as described in CIW\xe2\x80\x99s comments, if implemented, are responsive to our recommendation.\nWe do, however, recommend that as part of the audit resolution process that NSF confirms that\nthe policies and procedures have been revised and adequately implemented before the\nrecommendation is closed.\n\nFinding No. 2: Federal Grant Financial and Administrative Policies and Procedures\nNot Adequately Developed and Implemented\n\nCIW developed institution-wide federal grant financial and administrative policies and\nprocedures. The policies and procedures, however, did not provide adequate or sufficient\nguidance in areas such as journal entries, safeguarding of blank checks, and segregation of duties\nin procurement and disbursement processes.\n\nCIW anticipated that some departments might supplement and adjust the institution-wide\npolicies and procedures to meet their unique operational requirements. Six of the seven CIW\ndepartments adopted the institution-wide policies and procedures. OCIW was the only\ndepartment to develop its own procedures. None of the CIW departments adequately\nimplemented policies and procedures.\n\nOMB Circular A-110, Subpart C, Post-Award Requirements, Paragraph 21, requires effective\ncontrol over and accountability for all funds, property, and other assets. Without adequate\ndevelopment and implementation of federal grant financial and administrative policies and\nprocedures, CIW cannot ensure compliance with terms and conditions of its NSF and federal\ngrants. The lack of adequate implementation of federal grant financial and administration\npolicies and procedures also increases the risk of future embezzlements at CIW.\n\n\n\n                                            A-5\n\x0cThis situation occurred because CIW executive management has historically considered\ndepartments to be separate entities with separate scientific missions. While CIW enhanced\nresponsibilities of the Director of Administration and Finance in March 2007 and required that\nthe CIW business managers respond to his guidance concerning institution-wide matters, CIW\nneeds to ensure that this requirement is fully implemented and working as intended.\n\nRecommendation No. 2\n\nWe recommend that NSF\xe2\x80\x99s Director of the Division of Grants and Agreements direct CIW\xe2\x80\x99s\nBoard of Trustees to:\n\n   \xe2\x80\xa2   Require CIW to fully develop and implement adequate financial and\n       administrative policies and procedures for the entire organization.\n\n   \xe2\x80\xa2   Periodically evaluate business practices at departments to ensure adequate\n       implementation of CIW\xe2\x80\x99s policies and procedures.\n\nManagement\xe2\x80\x99s Comments\n\nIn its response to the draft audit report (Appendix C), CIW stated that:\n\n       Because the work underlying the report was undertaken between July and\n       October 2007, it could not reflect the many changes that were underway at the\n       time of the review and that were implemented thereafter. We have revised the\n       policies and procedures that you examined. Nonetheless, because we know that\n       we can continue to improve our operations, we will continue to strengthen our\n       financial and administrative policies for the organization and will systematically\n       evaluate practices at departments to ensure implementation of these policies and\n       procedures.\n\n       In July of 2006, in response to KPMG\xe2\x80\x99s internal control review, Carnegie issued\n       institution wide policies and procedures, including financial and administrative\n       policies. The document, available on our website, states that the policies and\n       procedures \xe2\x80\x9capply to the Carnegie Institution of Washington, and its\n       Departments\xe2\x80\xa6\xe2\x80\x9d The index to the document further indicates that Departments\n       may amend and supplement these procedures, subject to a review by the Director,\n       Administration and Finance. Departments were neither expected, nor required,\n       to supplement these policies and procedures. However, it was recognized that\n       some departments might wish to issue further guidance, including various desk\n       procedures, and this was permitted.\n\n       The Institution\xe2\x80\x99s policies and procedures specifically incorporate all applicable\n       OMB circulars and requirements. At various times over the last three years, in\n       response to audit and internal assessments, Carnegie has modified its policies\n       and procedures to reflect new requirements, to strengthen performance by\n       adopting best practices, and to assure compliance with all external documents.\n       The policies and procedures also provide for some flexibility in operations at the\n                                            A-6\n\x0c       department level. However, pursuant to our institution-wide policies and\n       procedures, any such adjustments are subject to review and approval by the\n       Director of Administration and Finance.\n\n       Since March of 2006 CIW has used a \xe2\x80\x9cStanding Working Group,\xe2\x80\x9d comprised of\n       business managers of the departments and the Director of Administration and\n       Finance, the Manager of Human Resources and Insurance, the Financial\n       Manager, and the Chief Information Officer, to perform a variety of financial and\n       administrative functions. The SWG meets every two weeks and its activities\n       include training related to the implementation of these policies and procedures.\n       This training has covered a variety of topics, such as journal entry procedures,\n       effort reporting, and federal grant requirements. Further, the charter of the SWG\n       specifically provides that the group is to \xe2\x80\x9chelp assure that institution-wide\n       activities in these areas meet established standards and promote best practices.\xe2\x80\x9d\n\n       Carnegie has also strengthened its staffing capacity in the departments and at P\n       Street since the period covered by most of the field work undertaken by Cotton &\n       Company. We have new business managers for four of the six departments, a new\n       Financial Manager at P Street, a new Deputy Financial Manager at P Street, a\n       newly created position of a Senior Grants Accountant, and a new Financial\n       Systems Accountant at P Street.\n\n       With the implementation of a sophisticated new financial system (NAV) in July\n       2008, we have concurrently adopted institution-wide review of grant transactions\n       on a grant-by-grant basis. This is in addition to the activity at the department\n       level.\n\n       We recognize, however, that the review and improvement of policies should be a\n       continuing process. To respond further to this finding, Carnegie will:\n\n          \xe2\x80\xa2   Amend our policies and procedures to reflect the new processes\n              that are embodied in the new accounting system and to describe\n              the internal processes and individual roles for each of the six\n              scientific departments and at P Street. We will require\n              departments to identify, by position, the individuals performing the\n              various roles, as well as any changes in responsibilities. This list\n              will be kept centrally. These changes to the policies and\n              procedures will be accomplished by October 1, 2009.\n\n       Include this area in the monitoring plan described under Finding No. 1, to\n       be developed by August 1, 2009.\n\nCotton & Company\xe2\x80\x99s Response\n\nThe Standing Working Group, the changes in staffing and the financial accounting system, and\nCIW\xe2\x80\x99s plan to amend their policies and procedures, and monitor the implementation and\neffectiveness of their new policies and procedures, as described in CIW\xe2\x80\x99s comments, if\n                                          A-7\n\x0cimplemented, are responsive to our recommendation. We do, however, recommend that as part\nof the audit resolution process that NSF confirm that all the activity described as being\ncompleted by CIW in its response and the revised policies and procedures that CIW plans to\naccomplish by October 1, 2009, have been adequately implemented before the recommendation\nis closed.\n\nFinding No. 3: Grant Monitoring Practices Inadequate at Four Departments\n\nFour of CIW\xe2\x80\x99s seven departments did not effectively monitor their federal grant administrative\nactivities. P Street did not have a business manager to monitor financial and administrative\nmatters generated from PI federal grant activity. Directors at DTM, GEO, and EMB did not\nregularly and routinely review business office activity related to the federal grant administration\nprocess. OCIW, PBIO, and DGE effectively monitored the federal grant administration processes\nof their respective department business office.\n\nOMB Circular A-110, Subpart C, Post-Award Requirements, Paragraph 21, requires effective\ncontrol over and accountability for all funds, property, and other assets. CIW\xe2\x80\x99s Board of\nTrustees, through its Review Committee on Administration Report issued in 2006, indicated that\nbusiness managers should receive day-to-day direction and oversight from CIW department\ndirectors. Such direction and oversight should include reviewing monthly credit card statements,\nmeeting routinely with the business manager to discuss budget projections and overall federal\ngrant activity, and performing reviews on a regular basis.\n\nAccording to the Committee of Sponsoring Organizations of the Treadway Commission and best\nbusiness practices, monitoring is a process to assess the quality of internal control performance\nover time. It involves assessing the design and operation of internal controls on a timely basis\nand taking necessary corrective actions. The purpose of monitoring is to ensure that controls\ncontinue to operate effectively. Given the decentralized structure at CIW, monitoring is all the\nmore vital to ensure that CIW business offices and employees are complying with NSF and\nfederal grant requirements.\n\nDTM, GEO, EMB, and P Street did not monitor grant administration processes at their\ndepartments. Failure to conduct routine and thorough monitoring increases risks to financial and\nadministrative management of grants. We noted areas of particular concern at two departments,\nxxxxxx xxxxxx.\n\nThe GEO director stated that he did not monitor the grant administration process or review NSF\ngrants unless he was the PI for the grant, but delegated grant monitoring to and relied on the\nbusiness office to keep grant administration affairs in order.\n\nWithout either a business office manager or department manager overseeing PI grant expenses at\nxxxxxx xxx, one PI embezzled more than $200,000 from federal award funds between 1994 and\n1999. The Co-PI\xe2\x80\x99s scheme included paying xxxspouse over $83,000 in salary for false time-and-\neffort reports that he forged; converting property purchased with award funds to his personal use;\nand fabricating invoices and receipts for purchases to make them appear award-related when, in\nfact, they were items purchased for his family and home. Although these instances of\n\n\n                                            A-8\n\x0cembezzlement occurred before our review period, inadequate grant monitoring continues to\ncreate a risk for NSF funds.\n\nThe lack of independent departmental monitoring of the federal grant administration process\nincreases the risk that irregularities or embezzlements that affect federal grant funds could occur.\n\nRecommendation No. 3\n\nWe recommend that NSF\xe2\x80\x99s Director of the Division of Grants and Agreements direct CIW\xe2\x80\x99s\nBoard of Trustees to:\n\n   \xe2\x80\xa2   Develop and implement a policy requiring all CIW department directors to\n       monitor the financial and administrative federal grant processes at their respective\n       departments.\n\n   \xe2\x80\xa2   Hire or delegate a business manager at P Street to approve and administer federal\n       grant financial and administrative affairs of the P Street PIs.\n\nManagement\xe2\x80\x99s Comments\n\nIn its response to the draft audit report (Appendix C), CIW stated that:\n\n       The work underlying the review was undertaken in 2007 and we have long since\n       acted on the matters covered by these recommendations already.\n\n       Carnegie\xe2\x80\x99s current practice is to distribute month-end financial reports directly to\n       PIs. The reports include both summary and detailed information, thereby\n       permitting PIs to review all transactions to make sure they are correctly charged\n       to grants. We have recently automated this process through a new reporting tool\n       available in the new accounting system. Our performance measure is to have\n       business managers distribute monthly reports within 20 business days of the close\n       of the month. Performance is monitored on an institution wide basis by the\n       Director, Administration and Finance, and the SWG. The responsibilities of the\n       PI are described at pp. 3-4 of the Grants and Awards policies and procedures.\n       Business managers, working with PIs, are responsible for resolving any\n       discrepancies. We believe this internal control is highly valuable and should\n       continue.\n\n       With respect to Department Directors, our current policy provides, \xe2\x80\x9cThe\n       Department\xe2\x80\x99s Director is responsible for implementing an overall grants program\n       at the Department level that meets applicable requirements and helps to fulfill the\n       scientific mission of the Department.\xe2\x80\x9d\n\n       Regarding P Street, in the past the Accounting Office provided the same level of\n       review for the expenditures of PIs at P Street as was performed for other\n       departments. As a result of an on-site conversation with the Cotton & Company\n       auditor during the fieldwork about the need for further review of expenses by PIs\n                                            A-9\n\x0c       located at P St., we established a policy of having the Director of Administration\n       and Finance review and approve all such expenses. This change occurred toward\n       the end of the period of the audit (2007).\n\n       Nonetheless, to respond further to the finding, Carnegie will:\n\n           \xe2\x80\xa2   Mandate that department directors receive and review monthly\n               reports on grant activities, with such report to include, at a\n               minimum, the grant title, agency, start and end dates, PI, current\n               period spending, grant to date spending, and funds remaining. In\n               this report, the Business Manager will call attention to any matters\n               requiring the Department Director\xe2\x80\x99s attention. This institution-\n               wide process will be put into practice no later than August 1, 2009.\n               This change will serve to make more concrete the responsibility\n               that the Department Directors already hold, subject to supervision\n               and review by the P St. business office.\n\n           \xe2\x80\xa2   Delegate formal responsibility to the Director of Administration\n               and Finance to serve as the Business Manager for P Street PIs,\n               effective July 1, 2009 \xe2\x80\x93 a role that the Director has effectively been\n               playing since the end of 2007. This individual will approve all\n               expenses and effort charged by these PIs. In performing this role,\n               the Director will rely on the P Street accounting staff to continue\n               to perform its overall functions, such as the payment of bills and\n               the recording of information in the general ledger that would\n               otherwise might be performed by a departmental business office.\n               In addition, P Street\xe2\x80\x99s Senior Grants Accountant will review all\n               grant-related charges for P Street\xe2\x80\x99s PIs, thereby performing the\n               grants review function at P Street typically performed in\n               departmental business offices.\n\nCotton & Company\xe2\x80\x99s Response\n\nThe revised grant monitoring procedures and responsibilities of the Director of Administration\nand Finance, and the additional monitoring and oversight of the Department Directors as\nproposed, if implemented, as described in CIW\xe2\x80\x99s comments, are responsive to our\nrecommendation. We do, however, recommend that NSF confirm as part of the audit resolution\nprocess that proposed and revised policies and procedures have been adequately implemented\nbefore the recommendation is closed.\n\nFinding No. 4: Internal Controls over the Journal Entry Process Inadequate\n\nCIW did not have standardized, institution-wide, written journal entry procedures for\ndepartments to follow, even though all departments have the ability to post some types of journal\nentries directly into FundWare, CIW\xe2\x80\x99s accounting system. In addition, three of the seven CIW\ndepartments had no standard policies or procedures in place to properly process journal entries;\nthe remaining four departments had journal entry procedures, but did not follow them. Therefore,\n                                           A-10\n\x0cjournal entries were processed without adequate controls such as proper approvals, proper\nexplanations, or adequate documentation. Moreover, in our limited testing of journal entry\ncontrols, we found approximately $25,718 inappropriately transferred to NSF awards.\n\nAn organization\xe2\x80\x99s grant financial reporting process includes the use of journal entries to record\ntransactions such as purchases, labor costs incurred, materials and supplies. Journal entries\nshould have adequate supporting documentation, explanation of purpose, and evidence of\nsupervisory review and approval. Additionally, OMB Circular A-122, Attachment A, General\nPrinciples, Basic Considerations, requires use and retention of adequate cost documentation. It\nalso states:\n\n       Any cost allocable to a particular award or other cost objective under\n       these principles may not be shifted to other Federal awards to overcome\n       funding deficiencies, or to avoid restrictions imposed by law or by the\n       terms of the award.\n\nThe need for CIW to have a journal entry process was also identified in the March 27, 2007,\nKPMG management letter for the FY 2006 CIW financial statement audit. The auditors noted\ninsufficient documentation and insufficient approvals for journal entries at CIW. The\nmanagement letter recommended that each journal entry posted into the CIW accounting system\nbe approved and supported by appropriate documentation. CIW concurred with this\nrecommendation and agreed to take steps to implement its auditor\xe2\x80\x99s recommendations.\n\nDuring our field work testing for this engagement, however, we determined that three of the\nseven CIW departments (PBIO, DGE, and DTM) had inadequate processes for making journal\nentries. The remaining four departments (P Street, GEO, EMB, and OCIW) had adequate journal\nentry processes, but did not follow them.\n\nAt the shared PBIO/DGE office, 29 of 43 journal entries we tested did not have one or more of\nthe required elements of internal controls for journal entries. We identified eight inappropriate\ncost transfers made via journal entries that lacked adequate explanation and justification. These\neight cost transfers shifted $25,718 to NSF grants from other grants, because the grants to which\nthose costs had been charged no longer had available funds.\n\nAlso at PBIO/DGE, we identified four cost transfers made when the PIs decided after-the-fact\nthat expenses should be reallocated among their various grants. There were also 11 journal\nentries at PBIO/DGE with missing documentation to support transactions and/or inadequate\nexplanations as to why the journal entries were made and 12 journal entries that did not have\nadequate approvals.\n\nDTM did not use a standard journal entry form, but rather used an accounting system-generated\nprintout as a means to document its journal entries. This print-out showed movement of costs\namong accounts, but did not include justification, support, and preparer signatures for journal\nentries. DTM was able to locate supporting documentations for all sampled journal entries and\nprovide corresponding explanations except for one.\n\n\n\n                                           A-11\n\x0cFinally, while four departments had adequate journal entry processes, they did not follow them.\nP Street, GEO, EMB, and OCIW had journal entry procedures requiring use of a standardized,\npre-printed journal entry form that required information explaining the reason for the journal\nentry and authorization by two individuals before the journal entry was processed. The procedure\nalso required an individual different than the person who initiated the journal entry to sign-off as\napproving the journal entry. Even with these prescribed journal entry procedures, we found that\neach of the four departments made journal entries that lacked supporting documentation, lacked\nexplanations for the purpose of the journal entry, or were entered and approved by the same\nindividual.\n\nWithout proper controls over journal entry processes, such as separating accounting journal entry\nand approval functions and requiring adequate documentation and explanations for the purpose\nof the journal entry, the risk of fraudulent activities increases significantly. Inadequate journal\nentry processes can allow an individual to alter accounting records to cover fraudulent activities.\n\nRecommendation No. 4\n\nWe recommend that NSF\xe2\x80\x99s Director of the Division of Grants and Agreements direct CIW\xe2\x80\x99s\nBoard of Trustees to implement policies and procedures over journal entries for all CIW\nDepartments that require:\n\n   \xe2\x80\xa2   Segregation of duties associated with authorizing, preparing, entering, and\n       approving journal entries.\n\n   \xe2\x80\xa2   Explanations for the purpose of the journal entry.\n\n   \xe2\x80\xa2   Maintenance of all supporting documentation for the journal entry.\n\n   \xe2\x80\xa2   Monitoring to ensure compliance.\n\nManagement\xe2\x80\x99s Comments\n\nIn its response to the draft audit report (Appendix C), CIW stated that:\n\n       We agree that journal entry processes were insufficient during the timeframe\n       covered by the audit. We have taken several steps in the intervening period since\n       the audit was undertaken to strengthen these controls, and believe that much\n       progress has been made.\n\n       Actions already taken include: a) the use of a new standard journal entry form at\n       the Department of Terrestrial Magnetism, beginning with the use of the new\n       accounting system (NAV) in July of 2008; b) the training of all business office\n       staff in the requirements for journal entries, including the need for explanations;\n       c) revised processes at the Observatories, where entries are prepared by the\n       accounting analyst after approval from PI/Cost Center manager and then\n       reviewed by the Business Manager prior to posting; d) revised procedures\n\n\n                                            A-12\n\x0c       affecting Plant Biology and Global Ecology; and e) P Street review of all journal\n       entries related to departments that must be posted by P Street.\n\n       To further respond to this finding, Carnegie will:\n\n           \xe2\x80\xa2   Amend its policies and procedures by October 1, 2009, to specify\n               the individual departmental practices, by individual position, so as\n               to assure greater segregation of duties over journal entries,\n               adequate explanations, and documentation.\n\n       Include this area in the monitoring plan described under Finding No. 1, to be\n       developed by August 1, 2009.\n\nCotton & Company\xe2\x80\x99s Response\n\nThe revised and proposed revisions to the policies and procedures related to journal entries and\nthe plan to monitor them, if implemented, as described in CIW\xe2\x80\x99s comments, are responsive to\nour recommendation.\n\nWe do, however, recommend that NSF confirms as part of the audit resolution process that all\nactivity described as being completed by CIW in its response and revised policies and procedures\nthat CIW plans to accomplish by October 1, 2009, have been adequately implemented before the\nrecommendation is closed.\n\nFinding No. 5: Segregation of Duties and Controls over the Disbursement Process\nInadequate\n\nSix of the seven CIW Departments had inadequate segregation of duties or inadequate controls\nover the disbursement process. Duties and responsibilities were not adequately separated,\ndirectors did not maintain signatory authority over department disbursements, and controls over\nblank-check stock were not consistently maintained. Only OCIW adequately segregated its staff\nduties for authorizing and making disbursements. OCIW improved its disbursement controls\nafter a part-time OCIW accounting assistant was able to forge checks to fictitious vendors from\n2001 to 2004, resulting in $132,222 of embezzled funds.\n\nKPMG, CIW\xe2\x80\x99s external auditors, identified the lack of segregation of duties over disbursements\nat DTM, PBIO, and DGE in its FY 2006 financial statement audit management letter. This\nmanagement letter recommended that responsibilities be separated to improve controls over\ndisbursements.\n\nOMB Circular A-110, Subpart C, Post-Award Requirements, Paragraph 21, requires effective\ncontrol over and accountability for all funds, property, and other assets. Best business practices\nalso recommend segregation of duties and authorization controls for the disbursement process.\nSegregation of duties, whereby no single individual has complete control over a financial\ntransaction, is essential to effective internal control. By assigning separate individuals to\nauthorize transactions, process transactions, monitor those activities, maintain related accounting\n\n                                           A-13\n\x0crecords, and handle the related assets, the risk of error or opportunity to misuse or misappropriate\nassets is reduced.\n\nAll departments except OCIW had inadequate segregation of duties and controls over\ndisbursements. Failure to provide adequate internal controls increases risks to financial and\nadministrative management of grants. We noted areas of particular concern at two departments.\n\nThe DTM fiscal assistant could enter and post invoices, print checks, and access the blank-check\nstock. Similarly, the fiscal assistant\xe2\x80\x99s supervisor had control over these same processes. In\nresponse to the KPMG FY 2006 management letter, DTM assigned responsibility for mailing\nchecks to an administrative assistant. It did not, however, use either a control log to monitor\nissuance of checks or restrict access to blank-check stock. Because a single individual had\ncomplete control over a financial transaction, and because of inadequate authorization oversight,\ninternal controls over DTM\xe2\x80\x99s disbursement process are inadequate.\n\nEMB\xe2\x80\x99s assistant to the business manager had control of EMB\xe2\x80\x99s blank-check stock as well as\nperformed accounting duties, such as processing invoices and posting them to the accounting\nsystem, thus creating inadequate segregation of duties. The business manager corrected this\ncondition after we brought it to xxxx attention.\n\nInadequate segregation of duties and authorization controls over the disbursement process\noccurred, because CIW had not established policies and procedures requiring segregation of\nduties or authorization controls over disbursements. When one individual has access to all\naspects of the disbursement process, it increases the risks of irregularities and fraud.\n\nRecommendation No. 5\n\nWe recommend that NSF\xe2\x80\x99s Director of the Division of Grants and Agreements direct CIW\xe2\x80\x99s\nBoard of Trustees to develop and implement institution-wide policies and procedures that require\nall CIW departments to:\n\n   \xe2\x80\xa2   Segregate disbursement functions adequately.\n   \xe2\x80\xa2   Require appropriate levels of approval and certification of payments.\n\nManagement\xe2\x80\x99s Comments\n\nIn its response to the draft audit report (Appendix C), CIW stated that:\n\n       We have taken actions that serve largely to resolve these findings. We will take\n       further steps to strengthen policies and procedures to segregate disbursement\n       functions and require appropriate levels of approval.\n\n       During the period of, and following, the review we have resolved the weaknesses\n       specifically identified in the report. The Department of Terrestrial Magnetism\n       has implemented a control log to monitor check issuance. With the\n       implementation of the new accounting system on July 1, 2008, blank check stock\n       is no longer maintained in the various departments, except for a small reserve for\n                                           A-14\n\x0c       manual checks that may be required. The business manager at Embryology\n       revised the process for accessing check stock at the time of the Cotton &\n       Company fieldwork.\n\n       At the Department of Plant Biology, the Business Manager has instituted strict\n       segregation of duties. Although blank check stock is no longer needed, strict\n       controls are maintained for the residual stock in the event that a manual check is\n       needed. The Accounts Payable Specialist and Business Manager perform certain\n       segregated duties.\n\n       We also note the draft report does not describe any specific weakness regarding\n       the Geophysical Laboratory. During the latter half of 2006 and 2007, that\n       department fully revised its operating practices governing disbursements in order\n       to achieve proper segregation of duties. Absent further information, we believe\n       these procedures to meet all standards and requirements.\n\n       Carnegie\xe2\x80\x99s policies and procedures establish certain required approvals for\n       check requests. These policies and procedures also cover the verification of\n       approval by the check signer(s).\n\n       Although we believe that the observations in the report are considerably out of\n       date, we have decided to undertake some further steps. Carnegie will amend its\n       policies and procedures by October 1, 2009, to specify the individual\n       departmental practices, by individual position, that will help achieve greater\n       segregation and appropriate levels of approval over the disbursement function.\n       We will require all departments to develop and submit a list of staff and their\n       responsibilities related to disbursement and other financial and accounting\n       functions. The list will be maintained by the Director, Administration and\n       Finance.\n\nCotton & Company\xe2\x80\x99s Response\n\nThe revised policies and procedures, increased segregation of disbursement functions, and the\nadditional proposed policies and procedures, if implemented, as described in CIW\xe2\x80\x99s comments,\nare responsive to our recommendation. We do, however, recommend that NSF confirms as part\nof the audit resolution process that all activity described as being completed by CIW in its\nresponse and revised policies and procedures that CIW plans to accomplish by October 1, 2009,\nhave been adequately implemented before the recommendation is closed.\n\nFinding No. 6: Labor-Effort Reporting Procedures Not Followed\n\nAlthough CIW formulated and implemented institution-wide labor effort reporting procedures,\nsix of the seven (all except OCIW) CIW departments did not adhere to them, as follows:\n\n   \xe2\x80\xa2   GEO and DTM reported budgeted rather than actual labor costs on their NSF\n       grants.\n\n\n                                          A-15\n\x0c   \xe2\x80\xa2   P Street did not use employee timesheets to complete effort reports for hourly\n       employees.\n\n   \xe2\x80\xa2   PBIO and DGE did not always approve final modified labor effort reports.\n\n   \xe2\x80\xa2   DTM and EMB did not require personnel to notify supervisors of leave taken as\n       part of the effort-reporting process.\n\nOMB Circular A-122, Cost Principles for Non-Profit Organizations, Attachment B, Paragraph 7,\nCompensation for Personal Services, subparagraph m, Support of Salaries and Wages, states that\ncharges to federal awards for salaries and wages, whether treated as direct or indirect costs, must\nbe based on documented payrolls approved by responsible official(s) of the organization and\nsupported by personnel activity reports. The reports must reflect an after-the fact determination\nof the actual activity of each employee. Budget estimates do not qualify as support for charges to\nawards. The reports must be prepared at least monthly and must coincide with one or more pay\nperiods.\n\nCIW\xe2\x80\x99s established labor effort reporting policies and procedures support OMB requirements and\nstate that reports reflecting distribution of labor activity of each CIW employee must be\nmaintained for all staff members (professionals and nonprofessionals, full time and hourly)\nwhose compensation is charged, in whole or in part, directly to federal awards. CIW employees\nworking on federal awards are required to track the specific labor effort they expend on each\nfederal award to which they are assigned.\n\nCIW procedures require each employee or the employee\xe2\x80\x99s supervisor to report specific labor\neffort they expend on each federal award to a designated CIW departmental official (either the\nbusiness manager or other fiscal official) who then enters that information monthly into a labor-\neffort reporting template (Excel spreadsheet). These individual labor-effort reports are reviewed\nand approved by the designated CIW official who prepares a summary labor-effort report\nspreadsheet that is then forwarded to P Street. P Street compiles these reports and uses results to\nclaim labor costs on CIW\xe2\x80\x99s Federal Cash Transactions Reports submitted to NSF. CIW\nprocedures specifically emphasize that budget estimates do not qualify for labor effort charges to\nfederal awards.\n\nEven with established institution-wide labor-effort reporting policies and procedures, PIs at GEO\nand DTM reported budget rather than actual labor effort on their monthly labor reports, contrary\nto CIW policy and OMB requirements. PIs at both departments informed us that they used\nbudget allocations for their labor-effort reporting because they did not want to exceed the grant\nallocation for salaries and wages.\n\nPIs at P Street did not use employee timesheets to complete effort reports for hourly employees,\nas required by CIW policies and procedures. PIs at PBIO/DGE did not always indicate their\napproval of final, modified labor-effort reports prepared by the business manager, also a CIW\nrequirement. As a result, P Street used inaccurate or unapproved labor-effort reports to calculate\ncharges to CIW\xe2\x80\x99s NSF grants.\n\n\n\n                                           A-16\n\x0cFinally, DTM and EMB did not require personnel to notify supervisors of leave taken as part of\nthe effort-reporting process. As a result, records did not exist to ensure that employees were not\nposting labor charges to federal grants when in leave status.\n\nReporting labor-effort charges or employee leave using a basis other than actual labor-effort\nreports prepared by an employee increases the risk that misstatements or improper labor costs\nwill be charged to NSF and federal grants and increases the risks that embezzlements, such as the\nfirst instance of embezzlement at P Street, will recur.\n\nRecommendation No. 6\n\nWe recommend that NSF\xe2\x80\x99s Director of the Division of Grants and Agreements direct CIW\xe2\x80\x99s\nBoard of Trustees to:\n\n   \xe2\x80\xa2   Ensure that institution-wide labor-effort reporting procedures are adequately\n       implemented and adhered to by all CIW departments, and that all CIW business\n       managers are properly trained to monitor and enforce compliance.\n\n   \xe2\x80\xa2   Develop and implement procedures that require all personnel to notify supervisors\n       when leave is requested and taken and labor-effort reports to accurately reflect\n       such leave.\n\nManagement\xe2\x80\x99s Comments\n\nIn its response to the draft audit report (Appendix C), CIW stated that:\n\n       We remain uncertain as to several of the particulars related to this finding, which\n       seem to reflect some misunderstanding of our processes at the time of the review.\n       Nonetheless, we have considerably strengthened our effort reporting process over\n       the last year \xe2\x80\x93 that is, after the review was completed.\n\n       We believe there may have been a misunderstanding of our policies and\n       procedures in verbal communications between PIs and the auditors. During the\n       internal control review, the GEO Business Manager explained the entire effort\n       reporting process with the Cotton & Company staff, and provided supporting\n       documentation for all transactions that were selected by Cotton & Company\n       review. There was no mention at that time of any budgeted costs during this\n       process, and there was no mention of any concern by the auditors. We also\n       questioned the PIs who were interviewed by Cotton and Company to attempt to\n       further understand the basis for this finding. We believe that individuals were\n       referring to institution-wide practices related to charges, not to the requirement\n       to report actual time. While an individual is required to report the percentage of\n       actual time spent, under our policies and procedures we do record charges less\n       than that percentage for federal grants when the resulting charge would exceed\n       the amount budgeted. We cover the excess through the endowment. Our only\n       possible explanation for this portion of the finding is that the auditor may have\n\n\n                                           A-17\n\x0c       misinterpreted a discussion about policies for charging grants to mean that\n       individuals report budgeted effort.\n\n       Carnegie\xe2\x80\x99s implementation of its new accounting and financial system, effective\n       July 1, 2008, has brought about changes in the process involved in the reporting\n       and recording of effort, as well as the reporting and recording of leave. Among\n       the changes are the recording of detailed payroll information, by employee, in the\n       general ledger, and additional controls to help minimize errors in reporting.\n       Further, we have reviewed effort reporting requirements in the meetings of the\n       Standing Working Group.\n\n       Regarding leave, our policy does not require advance approval, documented in\n       writing, of annual and sick leave. Some departments, including the Department\n       of Embryology, have implemented such procedures; these occur primarily\n       because some labs with vulnerable animals require certain minimum staffing\n       levels at all times. However, our policy does require reporting of all leave taken.\n       Specifically, under Section IV of the Payroll Policies and Procedures, employees\n       must report days of leave taken along with effort percentages for time worked\n       each month. When this information is entered into the standard effort report\n       form, the leave percentages are automatically calculated and deducted from\n       wages available for distribution among the various cost centers.\n\n       To further respond to this finding, based on the observations in the report as well\n       as best practices, Carnegie will conduct additional training in this area to ensure\n       that our policies are understood and are being followed. Specifically, over the\n       next six months we will provide information and instructions to all individuals\n       throughout the organization who are involved in effort reporting, including\n       possibly conducting on-line training for all employees. We will also revise the\n       certification required of business managers through our new accounting system to\n       reemphasize the federal requirements in this area. Finally, we will require that\n       any leave recorded within the effort reporting process to the business office be\n       reviewed by the responsible PI or supervisor.\n\nCotton & Company\xe2\x80\x99s Response\n\nThe plan to conduct training related to labor-effort reporting and the planned revisions to the\ncertification and leave reporting procedures, if implemented, as described in CIW\xe2\x80\x99s comments,\nare responsive to our recommendation. We do, however, recommend that NSF confirms as part\nof the audit resolution process that all activity described as being completed by CIW in its\nresponse and revised policies and procedures have been adequately implemented before the\nrecommendation is closed.\n\nFinding No. 7: CIW Purchase-Order Procurement Procedures Inadequate\n\nCIW\xe2\x80\x99s purchase-order procedures are inadequate. Its document titled CIW Policies and\nProcedures states that purchase orders should be used for \xe2\x80\x9chigh dollar\xe2\x80\x9d orders, but does not\ndefine what constitutes high dollar. Instead, the procedure is left open for the departments to\n                                            A-18\n\x0cinterpret and determine when to use purchase orders. Two of the seven CIW departments (P\nStreet and DTM) did not use purchase orders as part of their procurement process. OCIW is the\nonly CIW department that established written procedures requiring mandatory use of purchase\norders for its acquisitions, including travel associated with federal grant activity.\n\nOMB Circular A-110, Subpart C, Post-Award Requirements, Paragraph 21, requires effective\ncontrol over and accountability for all funds, property, and other assets. As such, standard best\nbusiness practices advocate using purchase orders as a means to ensure that purchases are\nproperly approved and adequately funded. Purchase orders also provide a means to control\npurchases and obligate funds. Expenses are obligated and tracked in the accounting system\nthrough the use of purchase orders, and a purchase order is compared to its related invoice to\nverify the accuracy of goods and services received at the departments.\n\nA former xxxxxxxx xxxxxx x embezzled more than $200,000 from federal award funds between\n1994 and 1999. Had purchase orders been used properly, this embezzlement could have been\ndetected earlier or avoided.\n\nThe DTM fiscal officer informed us that DTM does not enter purchase orders into its accounting\nsystem, because of the rapid turnaround time from placing an order to disbursing funds.\nAdditionally, DTM PIs view their authority to travel to include the authority to purchase\nsupplies. PIs frequently travel to remote field sites to perform official federal grant duties and\noften need supplies to complete excavation projects. In some instances, they make supply\npurchases of several hundreds of dollars without using purchase orders.\n\nInstitution-wide purchase order procedures in the procurement process are inadequate. Without\ninternal controls that purchase orders provide, CIW has no level of assurance that departmental\npurchases are properly budgeted, authorized, and approved, as required by OMB guidance.\nFailure to use purchase orders also increases the risk that funds will be used for unallowable or\nunallocable expenses and that sufficient funds will not be available to pay for actual incurred\ngrant costs.\n\nRecommendation No. 7\n\nWe recommend that NSF\xe2\x80\x99s Director of the Division of Grants and Agreements direct CIW\xe2\x80\x99s\nBoard of Trustees to:\n\n   \xe2\x80\xa2   Establish institution-wide written procedures requiring use of purchase orders for\n       the authorization and budgeting of all CIW department purchases to include dollar\n       thresholds and specific guidelines for purchase-order use.\n\n   \xe2\x80\xa2   Require departments to use purchase orders for obligating and expending funds\n       within CIW\xe2\x80\x99s accounting system.\n\n   \xe2\x80\xa2   Develop and implement a monitoring policy and procedures to ensure that all\n       CIW departments are using purchase-order procedures consistently and correctly.\n\n\n\n                                            A-19\n\x0cManagement\xe2\x80\x99s Comments\n\nIn its response to the draft audit report (Appendix C), CIW stated that:\n\n       The review was undertaken in July through October 2007 and does not reflect the\n       changes that have been implemented in the period after the review. In particular,\n       Carnegie\xe2\x80\x99s purchase order processes have been revised with the implementation\n       of the new accounting and financial management system (NAV), effective July 1,\n       2008. We concur with the need to update our policies and procedures to reflect\n       these new processes, as well as to specify thresholds for purchase-order use.\n       However, we do not agree that purchase orders should be required for all goods\n       and services. For example, utilities, direct (ACH) payments, insurance premiums,\n       legal bills, postage, fees from investment managers, lodging and meals, and\n       purchases in remote locations by scientific staff may best be handled and\n       managed through means other than purchase orders \xe2\x80\x93 albeit through processes\n       that provide adequate and appropriate controls. We also believe that\n       departments should have some flexibility in determining the particular features to\n       be used within our accounting system. For example, the Observatories has need\n       to use a procurement granule available in NAV, but other departments have no\n       need to use this particular function. Carnegie has not yet implemented the use of\n       this granule at the Observatories, but plans to do so.\n\n       To address this finding, we will:\n\n           \xe2\x80\xa2   Issue revised policies and procedures by January 1, 2010.\n           \xe2\x80\xa2   Revise processes in those departments currently not using the system-\n               based purchase order feature in NAV so that by January 1, 2010, all\n               departments will be using this feature.\n           \xe2\x80\xa2   Establish a monitoring process for purchase orders as part of the overall\n               monitoring plan to be implemented under Finding No. 1.\n\nCotton & Company\xe2\x80\x99s Response\n\nThe proposed revisions to the policies and procedures related to purchase orders and the plan to\nmonitor them, if implemented, as described in CIW\xe2\x80\x99s comments, are responsive to our\nrecommendation. We do, however, recommend that NSF confirms as part of the audit resolution\nprocess that all activity described as being completed by CIW in its response and revised policies\nand procedures have been adequately implemented before the recommendation is closed.\n\nFinding No. 8: Other Matters\n\nOther internal control weaknesses at four of the CIW departments came to our attention during\nthis engagement that, if not corrected, could place NSF funds at risk of errors and irregularities\nwithout being readily detected.\n\n\n\n\n                                            A-20\n\x0cSegregation of Duties Lacking and Procedures for Cash Receipts Not Followed (OCIW)\n\nOCIW did not properly segregate duties related to cash receipts, did not make deposits in\naccordance with its own written procedures, and maintained a separate bank account for\nincoming checks, rather than using the CIW designated depository.\n\nOMB Circular A-110, Subpart C, Post-Award Requirements, Paragraph 21, requires effective\ncontrol over and accountability for all funds, property, and other assets. OCIW\xe2\x80\x99s own written\nprocedures over depositing processes require assurance that duties and responsibilities associated\nwith the deposit preparation process be appropriately separated. OCIW procedures also require\ndeposits to be made whenever $1,000 is accumulated or after 30 days from receipt.\n\nOCIW\xe2\x80\x99s cash receipt processes lack adequate separation of duties. The OCIW business manager\nopens the mail, enters amounts into a journal, and prepares and makes deposits, thereby\nestablishing total control over the intake process and violating the segregation-of-duties concept.\nThese processes also did not comply with written OCIW procedures.\n\nOur review of OCIW bank deposits identified a deposit made on February 16, 2007, consisting\nof 15 checks from November 27, 2006, to February 14, 2007. This deposit was untimely and did\nnot comply with OCIW's written procedures.\n\nOCIW also maintains a separate account in Pasadena, California, since it experienced lost checks\nen route to P Street. OCIW did not, however, initiate procedures to send copies of deposit slips to\nP Street. Thus P Street cannot oversee funds received and deposited by OCIW.\n\nWhen segregation of duties is lacking or there is a breakdown in implementation of controls over\ncash receipts, errors can occur, and an individual has the potential to manipulate the cash intake\nprocess for personal gain without being readily detected.\n\nInventory Control Inadequate (GEO and PBIO)\n\nGEO and PBIO inventory management controls were inadequate and could lead to\nmisappropriated or improperly valued government-funded assets. At both GEO and PBIO, not all\nfederal assets were properly tagged or identified.\n\nOMB Circular A-110, Subpart C, Post-Award Requirements, Paragraph 21, requires effective\ncontrol over and accountability for all funds, property, and other assets. Further, the October\n2004 KPMG internal control report recommended establishing an annual inventory requirement\nfor all CIW departments. CIW did not, however, address this recommendation in its Corrective\nAction Plan.\n\nThe failure to tag or identify government property could affect the accountability of these assets.\nAn annual or periodic inventory requirement provides a level of assurance regarding the\nexistence and proper value of government-funded assets.\n\n\n\n\n                                           A-21\n\x0cTravel Policies Not Followed (DTM and OCIW)\n\nDTM and OCIW each did not comply with CIW or federal travel policies in one instance. While\ninsignificant in amount, these situations indicate a weakness in controls over business practices.\n\nOMB Circular A-122, Attachment B, Section 51, Travel costs, d. Foreign travel, states that direct\ncharges for foreign travel costs are allowable only when the travel has received prior approval of\nthe awarding agency. Each separate foreign trip must receive such approval.\n\nCIW Policies and Procedures on Travel also states that business offices are responsible for\nassuring that meal and lodging costs in excess of the federal per-diem allowance must not be\ncharged directly or indirectly to federal grants in compliance with the OMB Circular A-122\nstandard of reasonable costs. Excess costs must be charged to accounts designated by the P Street\nAccounting Office and are eventually absorbed by CIW\xe2\x80\x99s endowment.\n\nDTM charged an NSF grant for a PI\xe2\x80\x99s conference meal costs that exceeded the allowable per-\ndiem rate. While insignificant in amount, this was a violation of CIW\xe2\x80\x99s travel policy.\n\nOCIW did not obtain NSF approval for foreign travel in one instance, which violates OMB and\nCIW\xe2\x80\x99s requirements. In addition, the OCIW business manager informed us that actual lodging\ncosts are approved without verifying them against federal limits, and thus, lodging costs that\nexceed the federal allowance may still be charged to federal grants, which violates both CIW and\nfederal requirements.\n\nRecommendation No. 8\n\nWe recommend that NSF\xe2\x80\x99s Director of the Division of Grants and Agreements direct CIW\xe2\x80\x99s\nBoard of Trustees to:\n\n   \xe2\x80\xa2   Require OCIW to properly segregate duties related to cash receipts, make deposits\n       in accordance with its own written procedures, and eliminate its separate bank\n       account for incoming checks.\n\n   \xe2\x80\xa2   Require GEO and PBIO to properly identify federal assets.\n\n   \xe2\x80\xa2   Establish a procedure that ensures that all departments conduct annual asset\n       inventories.\n\n   \xe2\x80\xa2   Formulate and implement a monitoring process that will ensure that all\n       departments comply with OMB and CIW travel regulations regarding meal and\n       lodging costs.\n\nManagement\xe2\x80\x99s Comments\n\nIn its response to the draft audit report (Appendix C), CIW stated that:\n\n   We have implemented two of these recommendations, as follows:\n                                           A-22\n\x0c       \xe2\x80\xa2   With respect to OCIW\xe2\x80\x99s handling of cash receipts, we closed the separate\n           bank account on December 5, 2008. OCIW has revised its receipt procedures\n           so that duties are properly segregated. Moreover, we have recently decided\n           to use an on-line deposit system at P Street and at several departments,\n           including the Observatories. The introduction of this new system will require\n           a revision of our policies and procedures for handling such receipts. We will\n           assure that these new procedures are finalized and implemented on a\n           timetable that will coincide with the implementation of the new on-line deposit\n           system, which is currently scheduled to occur in 2009.\n\n       \xe2\x80\xa2   With respect to asset inventories at GEO and PBIO, we have put new\n           procedures in place that will assure the identification of all assets.\n\n   To further respond to this recommendation, Carnegie will:\n\n       \xe2\x80\xa2   Implement an annual, rather than the current biannual, inventory process for\n           all departments, beginning with the fiscal year that begins July 1, 2009.\n           Because federal regulations require that such inventories be conducted only\n           every other year, we will assess the annual process after two years and\n           determine whether a timetable consistent with federal regulations is\n           preferable.\n\n       \xe2\x80\xa2   Implement a monitoring process to help assure that all departments comply\n           with applicable OMB regulations and CIW policies. Specifically, we will\n           include travel within the monitoring process described in response to Finding\n           No. 1.\n\nCotton & Company\xe2\x80\x99s Response\n\nProcedures already implemented and those proposed in CIW\xe2\x80\x99s comments related to cash\nreceipts, inventories, and travel and the plan to monitor them are responsive to our\nrecommendation if properly implemented. We do, however, recommend that NSF confirms as\npart of the audit resolution process that that all activity described as being completed by CIW in\nits response and revised policies and procedures have been adequately implemented before the\nrecommendation is closed.\n\n\n\n\n                                           A-23\n\x0c      APPENDIX B\nAGREED-UPON PROCEDURES\n\x0c                                       APPENDIX B\n                                 AGREED-UPON PROCEDURES\n\n\nPreliminary Work with NSF\n\n   \xe2\x80\xa2   Gain an understanding of the three known instances of embezzlement at Carnegie and\n       determine the circumstances which allowed these embezzlements to occur. Review OIG\n       audit and investigation files.\n\n   \xe2\x80\xa2   Revise work plan steps accordingly to include the high risk areas identified that may have\n       led to these embezzlements.\n\n   \xe2\x80\xa2   Obtain and review the A-133 reports for the last 3 fiscal years.\n\n   \xe2\x80\xa2   Obtain from NSF information on its review and negotiation of Carnegie\xe2\x80\x99s indirect costs\n       rates for the last 3 fiscal years.\n\n   \xe2\x80\xa2   Obtain from NSF a list of all NSF grants active in the last 4 years that identifies which\n       Carnegie department was responsible for each grant.\n\n   \xe2\x80\xa2   Review the Internal Control Review Report (October 8, 2004) performed by KPMG.\n\n   \xe2\x80\xa2   Review Carnegie\xe2\x80\x99s Action Plan in Response to KPMG\xe2\x80\x99s internal control report.\n       Document an analysis and assessment of whether it adequately addresses findings from\n       the internal control review report \xe2\x80\x93 from preliminary perspective and to determine impact\n       of Action Plan on type and extent of testing of internal controls.\n\n   \xe2\x80\xa2   Review KPMG\xe2\x80\x99s consulting report (August 28, 2006) and supporting workpapers\n       (received from OIG subpoena) and document what was and wasn\xe2\x80\x99t done.\n\nKPMG Records and Meetings\n\n   \xe2\x80\xa2   Meet with KPMG representatives and discuss their follow up to the internal control\n       report. Determine how the A-133 reports could contain no findings in light of the\n       internal control weaknesses known to them.\n\n   \xe2\x80\xa2   Discuss the scope and results of any other professional or consulting services performed\n       for Carnegie during last 3 fiscal years.\n\n   \xe2\x80\xa2   Review KPMG\xe2\x80\x99s work papers for the A-133 audits and any other Carnegie tasks\n       performed for last 3 fiscal years.\n\n   \xe2\x80\xa2   Review/copy cycle memos related to internal controls or accountability of federal funds,\n       or other high risk areas; workpapers related to reviews of the corrective action plan; and\n       any other relevant documentation.\n\n\n                                               B-1\n\x0c   \xe2\x80\xa2   Document whether the internal control corrective action plan proposed by Carnegie was\n       implemented and if not what was not implemented and why. Document all changes to\n       Carnegie\xe2\x80\x99s policies and procedures during the last 3 years.\n\nWork Performed at Carnegie\n\n   \xe2\x80\xa2   Obtain from Carnegie a list of all NSF grants active in the last 4 years that identifies\n       which Carnegie department was responsible for each grant.\n\n   \xe2\x80\xa2   Determine if the list provided by NSF agrees with Carnegie\xe2\x80\x99s. Follow up on all\n       differences.\n\n   \xe2\x80\xa2   Meet with Carnegie representatives and discuss the implementation of the corrective\n       action plan and any other policy or organizational changes made since October 2004,\n       especially as relates to the accountability of federal funds. Inquire of Carnegie regarding\n       if institution can provide documentation on the first two instances of embezzlement and\n       review same.\n\n   \xe2\x80\xa2   Inquire of Carnegie representatives if there have been any other audits, attestation or\n       management reviews conducted which involve federal grant funds or any types of\n       management analysis, consulting engagements, reports, etc. in response to\n       embezzlements and internal control deficiencies (beyond the Corrective Action plan).\n\n   \xe2\x80\xa2   If yes, obtain copies of reports, management letters, etc., and obtain Carnegie\xe2\x80\x99s responses\n       to reports.\n\n   \xe2\x80\xa2   Discuss what the Headquarters Finance department does to oversee accountability for\n       each Carnegie Department.\n\n   \xe2\x80\xa2   Request contact information for all relevant employees in each department.\n\n   \xe2\x80\xa2   Obtain and review copies of organization charts and policies and procedures both current\n       and prior, for each Carnegie department with responsibility of accountability of federal\n       funds, and in particular, NSF funds.\n\n   \xe2\x80\xa2   Conduct analysis of written policies and procedures and organizational charts and note\n       discrepancies and consistencies with KPMG\xe2\x80\x99s cycle memos and audit workpapers.\n\n   \xe2\x80\xa2   Assess the adequacy of the internal control design to prevent fraud (e.g., would the\n       procedures, if followed, prevent embezzlements)\n\n   \xe2\x80\xa2   From the lists of NSF grants select a sample of at least one NSF award from each\n       department.\n\n   \xe2\x80\xa2   For each sampled grant request a breakdown of costs claimed for the last 3 years by\n       budget category that reconciles to the December 31, 2006 FCTR and Cost Share\n       Certifications submitted to NSF.\n                                                B-2\n\x0c\xe2\x80\xa2   Inquire about any significant variances between budget and actual costs. Determine\n    whether policies and procedures exist to compare budget to actual expenses and if so\n    were they followed. Follow up on any unusual instances.\n\n\xe2\x80\xa2   Obtain an electronic download, at the detail transaction level, of expenditures for each\n    sampled grant. Reconcile the expenditure reports to the cumulative amounts claimed for\n    the last 3 years on the FCTRs.\n\n\xe2\x80\xa2   Select a sample of transactions from major cost categories for each grant.\n\n\xe2\x80\xa2   Scan/sort the expenditure reports to identify all expenditures that originated by journal\n    entry. Include adjusting journal entries, reversing entries, and any other entries that are\n    outside system generated data flow (e.g., any entries that are outside subsidiary ledger\n    system generated transactions \xe2\x80\x93 manually made entries). Select a sample for testing and\n    follow up.\n\n\xe2\x80\xa2   Scan/sort the expenditure reports to identify any large or unusual transactions. Select a\n    sample for testing and follow up.\n\n\xe2\x80\xa2   For the sampled transactions obtain and review all supporting documentation. Internal\n    control attributes to be tested will be defined based on our summary of Carnegie\xe2\x80\x99s\n    policies and procedures.\n\n\xe2\x80\xa2   Because of the possibility of ghost employees and/or vendors trace sampled payroll and\n    vendor charges to personnel and vendor files. Confirm that files exist and that they were\n    established in accordance with Carnegie\xe2\x80\x99s established policies and procedures.\n\n\xe2\x80\xa2   Determine whether Carnegie\xe2\x80\x99s internal controls, policies and procedures were followed.\n    Document all exceptions and discuss exceptions with Carnegie representatives.\n\n\xe2\x80\xa2   Conduct interviews with Carnegie employees in each department to determine their\n    understanding of their responsibilities with regard to federal and NSF funds\n\n\xe2\x80\xa2   For each sampled grant also test internal controls related to draw downs, expenditure\n    reporting, and other NSF compliance requirements.\n\n\xe2\x80\xa2   Discuss with the NSF OIG findings/issues noted and whether testing should be expanded\n    in any area.\n\n\n\n\n                                             B-3\n\x0cSummarization and Reporting\n\nPrepare a summary for the NSF OIG that discusses the following:\n\n   \xe2\x80\xa2   The results of the discussions with KPMG and the review of their workpapers.\n\n   \xe2\x80\xa2   Whether Carnegie\xe2\x80\x99s internal control corrective action plan has been implemented and is\n       operating effectively. If not, a description of what has not been implemented/and or is\n       not operational and why.\n\n   \xe2\x80\xa2   Whether Carnegie\xe2\x80\x99s corrective action plan is adequate to properly accumulate, track and\n       monitor NSF grant funds. If not, include recommendations to address areas of\n       weaknesses.\n\n   \xe2\x80\xa2   Whether or not procedures performed by KPMG in the consulting engagement related to\n       the 2006 embezzlement was adequate. If not, a description of what was not performed\n       and why.\n\n   \xe2\x80\xa2   An assessment of the risk that NSF funds were diverted to private use by Carnegie\n       employees.\n\n   \xe2\x80\xa2   A discussion of any other matters concerning instances of noncompliance with laws,\n       regulations, and the provisions of NSF grant terms and conditions which have come to\n       the IPA\xe2\x80\x99s attention during fieldwork.\n\n   \xe2\x80\xa2   A recommendation whether or not to perform audits of specific NSF awards and why.\n\n   \xe2\x80\xa2   Based on discussions with Carnegie document whether the internal control corrective\n       action plan proposed by Carnegie was implemented and if not what was not implemented\n       and why.\n\n  Prepare a final report based on discussions with NSF OIG representatives.\n\n\n\n\n                                              B-4\n\x0c                    APPENDIX C\nRESPONSE FROM THE CARNEGIE INSTITUTION OF WASHINGTON\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c    HOW TO CONTACT THE\nNATIONAL SCIENCE FOUNDATION\nOFFICE OF INSPECTOR GENERAL\n\n\n           Internet\n        www.oig.nsf.gov\n\n\n         Email Hotline\n          oig@nsf.gov\n\n\n          Telephone\n         703-292-7100\n\n\n           Toll-Free\n        1-800-428-2189\n\n\n             Fax\n         703-292-9158\n\n\n                Mail\n    Office of Inspector General\n   National Science Foundation\n  4201 Wilson Blvd., Suite 1135\n        Arlington, VA 22230\n\x0c"